U.S. patent application number 14/749072 was filed with the patent office on 2015-10-15 for methods to manage services over a service gateway.
The applicant listed for this patent is A10 Networks, Inc.. Invention is credited to Rajkumar Jalan, Rishi Sampat, Feilong Xu.
Application Number | 20150296058 14/749072 |
Document ID | / |
Family ID | 48655681 |
Filed Date | 2015-10-15 |
United States Patent
Application |
20150296058 |
Kind Code |
A1 |
Jalan; Rajkumar ; et
al. |
October 15, 2015 |
Methods to Manage Services over a Service Gateway
Abstract
In activating a service, a service gateway retrieves a service
table entry using a service or server address of the service entry,
where the service table entry has an association with another
service entry. An association to the service entry is added and a
marker value is set to indicate associations with two service
entries. After a time duration, the association with the other
service entry is removed, and the marker value is changed
accordingly. In deactivating a service entry, the service gateway
calculates a hash value for the service or server address of the
service entry. After matching the hash value to a hash value of
another service entry, an association with the other service entry
is added. A marker value is set to indicate associations with two
service entries. After a time duration, the association with the
service entry is removed, and the marker value is changed
accordingly.
Inventors: |
Jalan; Rajkumar; (Saratoga,
CA) ; Xu; Feilong; (San Jose, CA) ; Sampat;
Rishi; (Santa Clara, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
A10 Networks, Inc. |
San Jose |
CA |
US |
|
|
Family ID: |
48655681 |
Appl. No.: |
14/749072 |
Filed: |
June 24, 2015 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
13337030 |
Dec 23, 2011 |
9094364 |
|
|
14749072 |
|
|
|
|
Current U.S.
Class: |
370/392 |
Current CPC
Class: |
H04L 67/2814 20130101;
H04L 61/103 20130101; H04L 69/22 20130101; H04L 43/0817 20130101;
H04L 67/02 20130101; H04L 67/28 20130101; G06F 9/505 20130101; H04L
67/1008 20130101; H04L 61/00 20130101; H04L 67/00 20130101; H04L
61/2007 20130101; H04L 61/1541 20130101; H04L 61/255 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; H04L 29/08 20060101 H04L029/08; H04L 29/12 20060101
H04L029/12 |
Claims
1. A system for processing an uninterrupted service session
comprising: a service gateway communicatively coupled to a host
using a first network and to a plurality of servers using a second
network, the service gateway processing a service session between
the host and at least one of the plurality of servers, the service
gateway including a processor coupled to a memory, the memory
storing instructions executable by the processor to perform a
method comprising: getting a first service entry, the first service
entry including a service address and a first server address, the
first service address including an address associated with the
service gateway and a service identifier; storing the first service
entry with an active status designation in a service table entry of
a service mapping table, the service mapping table including a
plurality of service table entries, the table entry associated with
a service; changing a status designation of a second service entry
to an inactive status designation, the second service entry stored
in the service table entry, the second service entry including the
service address and a second server address; receiving a first data
packet from the host, the first data packet including the service
address; determining a first server address associated with the
service address using the first service entry; modifying the first
data packet, the modifying including replacing the service address
with the first server address; and forwarding the modified first
data packet to the first server address.
2. The system of claim 1 wherein the method further comprises:
receiving a second data packet from the host, the second data
packet including the service address; determining a second server
address associated with the service address; modifying the second
data packet, the modifying including replacing the service address
with the second server address; and forwarding the modified second
data packet to the second server address;
3. The system of claim 2 wherein the determining the second server
address comprises: retrieving from the service mapping table the
second service entry in the service table entry corresponding to
the service address; and identifying the second server address in
the second service entry.
4. The system of claim 2 wherein the service mapping table is
indexed using a hash function and the index is stored in a table
index, and wherein the determining the second server address
comprises: applying the hash function to the service address to
generate a hash value; retrieving from the service mapping table
the second service entry in the service table entry corresponding
to the service address using the hash value and the status
designation of the second service entry; and identifying the second
server address in the second service entry.
5. The system of claim 4 wherein the hash function is at least one
of: a checksum function, a cyclic redundancy check (CRC) function,
bit-wise AND operator, bit-wise OR operator, bit-wise NAND
operator, bit-wise NOR operator, MD5 hash function, cryptographic
hash function, Jenkins hash function, table lookup function, hash
function performed by an application specific integrated circuit
(ASIC), and hash function performed by a field programmable gate
array (FPGA).
6. The system of claim 1 wherein the determining the first server
address comprises: retrieving from the service mapping table the
first service entry in the service table entry corresponding to the
service address; and identifying the first server address in the
first service entry.
7. The system of claim 5 wherein the service table entry is indexed
using a hash function and the index is stored in a table index, and
wherein the determining the first server address comprises:
applying the hash function to the service address to generate a
hash value; retrieving from the service mapping table the first
service entry in the service table entry corresponding to the
service address using the hash value and the status designation of
the first service entry; and identifying the first server address
in the first service entry.
8. The system of claim 7 wherein the hash function is at least one
of: a checksum function, a cyclic redundancy check (CRC) function,
bit-wise AND operator, bit-wise OR operator, bit-wise NAND
operator, bit-wise NOR operator, MD5 hash function, cryptographic
hash function, Jenkins hash function, table lookup function, hash
function performed by an application specific integrated circuit
(ASIC), and hash function performed by a field programmable gate
array (FPGA).
9. The system of claim 1 further comprising: a timer, the timer
calculating when a predetermined amount of time has elapsed,
wherein the method further comprises: starting the time in response
to storing the first service entry, wherein the changing the status
designation of the second service entry is in response to the timer
calculated the predetermined amount of time has elapsed.
10. The system of claim 1 wherein the service address includes at
least one of: a destination Internet Protocol (IP) address, an
application layer address, and a destination transport layer port
number, the transport layer port number being at least one of a:
transmission control protocol (TCP) port number and a user datagram
protocol (UDP) port number, and the service identifier identifying
at least one of a: Hypertext Transport Protocol (HTTP) session, a
secure HTTP session, a File Transfer Protocol (FTP) session, a file
sharing protocol session; a Session Initiation Protocol (SIP)
session, a web session, a video and/or audio streaming session, and
a web conferencing session.
11. A method for processing an uninterrupted service session by a
service gateway communicatively coupled to a host using a first
network and to a plurality of servers using a second network, the
service gateway processing a service session between the host and
at least one of the plurality of servers, the method comprising:
getting a first service entry, the first service entry including a
service address and a first server address, the first service
address including an address associated with the service gateway
and a service identifier; storing the first service entry with an
active status designation in a service table entry of a service
mapping table, the service mapping table including a plurality of
service table entries, the table entry associated with a service;
changing a status designation of a second service entry to an
inactive status designation, the second service entry stored in the
service table entry, the second service entry including the service
address and a second server address; receiving a first data packet
from the host, the first data packet including the service address;
determining a first server address associated with the service
address using the first service entry; modifying the first data
packet, the modifying including replacing the service address with
the first server address; and forwarding the modified first data
packet to the first server address.
12. The method of claim 11 further comprising: receiving a second
data packet from the host, the second data packet including the
service address; determining a second server address associated
with the service address; modifying the second data packet, the
modifying including replacing the service address with the second
server address; and forwarding the modified second data packet to
the second server address;
13. The method of claim 12 wherein the determining the second
server address comprises: retrieving from the service mapping table
the second service entry in the service table entry corresponding
to the service address; and identifying the second server address
in the second service entry.
14. The method of claim 12 wherein the service mapping table is
indexed using a hash function and the index is stored in a table
index, and wherein the determining the second server address
comprises: applying the hash function to the service address to
generate a hash value; retrieving from the service mapping table
the second service entry in the service table entry corresponding
to the service address using the hash value and the status
designation of the second service entry; and identifying the second
server address in the second service entry.
15. The method of claim 14 wherein the hash function is at least
one of: a checksum function, a cyclic redundancy check (CRC)
function, bit-wise AND operator, bit-wise OR operator, bit-wise
NAND operator, bit-wise NOR operator, MD5 hash function,
cryptographic hash function, Jenkins hash function, table lookup
function, hash function performed by an application specific
integrated circuit (ASIC), and hash function performed by a field
programmable gate array (FPGA).
16. The method of claim 11 wherein the determining the first server
address comprises: retrieving from the service mapping table the
first service entry in the service table entry corresponding to the
service address; and identifying the first server address in the
first service entry.
17. The method of claim 15 wherein the service table entry is
indexed using a hash function and the index is stored in a table
index, and wherein the determining the first server address
comprises: applying the hash function to the service address to
generate a hash value; retrieving from the service mapping table
the first service entry in the service table entry corresponding to
the service address using the hash value and the status designation
of the first service entry; and identifying the first server
address in the first service entry.
18. The method of claim 17 wherein the hash function is at least
one of: a checksum function, a cyclic redundancy check (CRC)
function, bit-wise AND operator, bit-wise OR operator, bit-wise
NAND operator, bit-wise NOR operator, MD5 hash function,
cryptographic hash function, Jenkins hash function, table lookup
function, hash function performed by an application specific
integrated circuit (ASIC), and hash function performed by a field
programmable gate array (FPGA).
19. The method of claim 11 further comprising: a timer, the timer
calculating when a predetermined amount of time has elapsed,
wherein the method further comprises: starting the time in response
to storing the first service entry, wherein the changing the status
designation of the second service entry is in response to the timer
calculated the predetermined amount of time has elapsed.
20. The method of claim 11 wherein the service address includes at
least one of: a destination Internet Protocol (IP) address, an
application layer address, and a destination transport layer port
number, the transport layer port number being at least one of a:
transmission control protocol (TCP) port number and a user datagram
protocol (UDP) port number, and the service identifier identifying
at least one of a: Hypertext Transport Protocol (HTTP) session, a
secure HTTP session, a File Transfer Protocol (FTP) session, a file
sharing protocol session; a Session Initiation Protocol (SIP)
session, a web session, a video and/or audio streaming session, and
a web conferencing session.
21. A method for processing an uninterrupted service session by a
service gateway communicatively coupled to a host using a first
network and to a plurality of servers using a second network, the
service gateway processing a service session between the host and
at least one of the plurality of servers, the method comprising:
receiving a first data packet from the host, the first data packet
including a service address; applying a hash function to the
service address to generate a hash value; retrieving from a service
mapping table a first service entry in a service table entry
corresponding to the service address using the hash value and a
status designation of the first service entry, the service mapping
table including a plurality of service table entries and being
indexed using the hash function, the index being stored in a table
index, the first service entry being stored in the service table
entry and including the service address and a second server
address, the service table entry being associated with a service;
identifying the first server address in the first service entry;
modifying the first data packet, the modifying including replacing
the service address with the first server address; forwarding the
modified first data packet to the first server address; getting a
second service entry, the second service entry including the
service address and a second server address, the second service
address including an address associated with the service gateway
and a service identifier; storing the second service entry with an
active status designation in the service table entry of the service
mapping table; changing a status designation of the first service
entry to an inactive status designation; receiving a second data
packet from the host, the second data packet including the service
address; retrieving from the service mapping table the second
service entry in the service table entry corresponding to the
service address using the hash value and the status designation of
the second service entry; identifying the second server address in
the second service entry; modifying the second data packet, the
modifying including replacing the service address with the second
server address; and forwarding the modified second data packet to
the second server address.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field
[0002] This invention relates generally to data communications, and
more specifically, to a service gateway.
[0003] 2. Background
[0004] Service gateways such as server load balancers, firewalls,
or traffic managers are typically deployed to bridge services
between client computing devices and application servers. The
number of client computing devices proliferates in past few years
in the areas of consumer computers, mobile computing devices,
smartphones, and gaming devices.
[0005] When the number of client devices increases, the number of
service sessions between client devices and application servers
increases accordingly. Traditional stateful session packet
processing used by service gateways gives way to stateless packet
processing. Stateless packet processing is more efficient in
computation and in memory consumption. It suits well in order to
scale up services for an expected large number of service sessions.
A typical stateless packet processing method uses a form of hash
table. The table is stored with predetermined servers and
applications information.
[0006] At the same time, the number of applications also increases
rapidly as consumers and corporations install new applications on
their computing devices. More servers are installed every day, and
more applications become available every hour. In order to activate
a server or an application in a server, operator needs to update
the hash table with the additional server or application
information. Often times, updating the table means replacing an
existing server or application information of a table entry with
the activating server or application information. Such table entry
content replacement is disruptive to on-going service session using
the existing table entry. Data packets of any on-going service
session would not be forwarded to the proper server or client
device. For example, if a consumer is watching a Netflix.TM.
streaming video, the video stream will be abruptly stopped. If a
corporate worker is in the middle of a business transaction, the
transaction will be stalled. The worker needs to restart the
transaction. In a worst case, the worker may need to find out which
part of the transaction had been completed in order to avoid
duplicating the completed portion of the transaction.
[0007] In addition to activating a new server or application,
during maintenance such as backup, software update, hardware
replacement, servers and applications are often taken off line. The
corresponding table entries will also need to be replaced as the
server or the application on a server is no longer available at the
table entry. It is desirable to replace the table entry with a
second server or another server running the same application.
[0008] It is highly desirable to have a stateless packet processing
method while services can be managed to allow a server or an
application on a server to be added or removed, without
interrupting existing service sessions.
[0009] Therefore, there is a need for a method to manage services
over a service gateway using stateless packet processing
method.
BRIEF SUMMARY OF THE INVENTION
[0010] According to one embodiment of the present invention, a
method for managing services by a service gateway comprises: (a)
receiving a first service entry for a service to be activated by
the service gateway, the first service entry comprising a first
service address associated with the first service and a first
server address; (b) retrieving a service table entry of a service
mapping table using the first service address or the first server
address of the first service entry, the service table entry having
an association with a second service entry, the second service
entry comprising a second service address and a second server
address; (c) adding to the service table entry an association to
the first service entry; (d) storing a marker value associated with
the service table entry to indicate that the service table entry is
associated with a plurality of service entries; (e) setting a timer
associated with the service table entry to a predetermined
duration; (f) in response to an expiration of the timer, removing
the association with the second service entry from the service
table entry; and (g) in response to removing the association with
the second service from the service table entry, changing the
marker value to indicate that the service table entry is not
associated with a plurality of service entries.
[0011] In one aspect of the present invention, prior to the
removing of the association with the second service entry from the
service table entry, the method further comprises: (h) receiving a
data packet by the service gateway from a host, the data packet
comprising a third service address; (i) comparing the third service
address of the data packet with the first service address of the
first service entry or with the second service address of the
second service entry; (j) in response to finding a match between
the third service address and the first service address, or between
the third service address and the second service address,
determining the marker value associated with the service table
entry; (k) in response to determining that the marker value
indicates that the service table entry is associated with a
plurality of service entries, creating a session entry based on the
service table entry and storing the session entry in a session
table; (l) in response to finding the match between the third
service address and the first service address, modifying the data
packet by replacing the third service address with the first server
address; (m) in response to finding the match between the third
service address and the second service address, modifying the data
packet by replacing the third service address with the second
server address; and (n) sending the modified data packet to the
first server address or the second server address.
[0012] In one aspect of the present invention, prior to the
removing of the association with the second service entry from the
service table entry, the method further comprises: (h) receiving a
data packet by the service gateway from a server, the data packet
comprising a third server address; (i) comparing the third server
address of the data packet with the first server address of the
first service entry or with the second server address of the second
service entry; (j) in response to finding a match between the third
server address and the first server address, or between the third
server address and the second server address, determining the
marker value associated with the service table entry; (k) in
response to determining that the marker value indicates that the
service table entry is associated with a plurality of service
entries, creating a session entry based on the service table entry
and storing the session entry in a session table; (l) in response
to finding the match between the third server address and the first
server address, modifying the data packet by replacing the third
server address with the first service address; (m) in response to
finding the match between the third server address and the second
server address, modifying the data packet by replacing the third
server address with the second service address; and (n) sending the
modified data packet to a host address from the data packet.
[0013] In one aspect of the present invention, the receiving (h)
comprises: (h1) receiving the data packet from the host; (h2)
comparing the data packet against session entries in the session
table; (h3) in response to finding a match between the data packet
and a given session entry in the session table: (h3i) modifying the
data packet by replacing the third service address with a given
server address in the given session entry; (h3ii) skipping the
comparing (i), the determining (j), the creating (k), the modifying
(l), the modifying (m), and the sending (n); and (h3iii) sending
the modified data packet to the given server address; and (h4) in
response to finding no matches between the data packet and the
session entries, performing the comparing (i), the determining (j),
the creating (k), the modifying (l), the modifying (m), and the
sending (n).
[0014] In one embodiment of the present invention, a method for
managing services by a service gateway, comprises: (a) receiving an
indication to deactivate a first service entry for a service, the
first service entry comprising a first service address associated
with the service and a first server address, the first service
entry associated with a service table entry of a service mapping
table; (b) calculating a first hash value for the first service
address or the first server address of the first service entry; (c)
determining whether a second hash value of a second service entry
in the service mapping table matches the first hash value, the
second service entry comprising a second service address and a
second server address; (d) in response to determining that the
second hash value matches the first hash value, adding an
association with the second service entry to the service table
entry; (e) storing a marker value associated with the service table
entry to indicate that the service table entry is associated with a
plurality of service entries; (f) setting a timer associated with
the service table entry to a predetermined duration; (g) in
response to an expiration of the timer, removing the association
with the first service entry from the service table entry; and (h)
in response to removing the association with the first service
entry from the service table entry, changing the marker value to
indicate that the service table entry is not associated with a
plurality of service entries.
[0015] System and computer program products corresponding to the
above-summarized methods are also described and claimed herein.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE FIGURES
[0016] FIG. 1 illustrates an embodiment of a stateless service
gateway between a host and a plurality of service addresses
according to the present invention.
[0017] FIG. 2 illustrates an embodiment of a managed service
mapping table for a stateless service gateway according to the
present invention.
[0018] FIGS. 3A-3F illustrates an embodiment of a data packet
processing method according to the present invention.
[0019] FIG. 4 illustrates an embodiment of a process to add a
service entry according to the present invention.
[0020] FIG. 5 illustrates an embodiment of a process to remove a
service entry according to the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0021] The following description is presented to enable one of
ordinary skill in the art to make and use the present invention and
is provided in the context of a patent application and its
requirements. Various modifications to the embodiment will be
readily apparent to those skilled in the art and the generic
principles herein may be applied to other embodiments. Thus, the
present invention is not intended to be limited to the embodiment
shown but is to be accorded the widest scope consistent with the
principles and features described herein.
[0022] The present invention can take the form of an entirely
hardware embodiment, an entirely software embodiment or an
embodiment containing both hardware and software elements. In a
preferred embodiment, the present invention is implemented in
software, which includes but is not limited to firmware, resident
software, microcode, etc.
[0023] Furthermore, the present invention can take the form of a
computer program product accessible from a computer-usable or
computer-readable medium providing program code for use by or in
connection with a computer or any instruction execution system. For
the purposes of this description, a computer-usable or computer
readable medium can be any apparatus that can contain, store,
communicate, propagate, or transport the program for use by or in
connection with the instruction execution system, apparatus, or
device.
[0024] The medium can be an electronic, magnetic, optical,
electromagnetic, infrared, or semiconductor system (or apparatus or
device) or a propagation medium. Examples of a computer-readable
medium include a semiconductor or solid state memory, magnetic
tape, a removable computer diskette, a random access memory (RAM),
a read-only memory (ROM), a rigid magnetic disk and an optical
disk. Current examples of optical disks include compact disk-read
only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
[0025] A data processing system suitable for storing and/or
executing program code will include at least one processor coupled
directly or indirectly to memory elements through a system bus. The
memory elements can include local memory employed during actual
execution of the program code, bulk storage, and cache memories
which provide temporary storage of at least some program code in
order to reduce the number of times code must be retrieved from
bulk storage during execution.
[0026] Input/output or I/O devices (including but not limited to
keyboards, displays, point devices, etc.) can be coupled to the
system either directly or through intervening I/O controllers.
[0027] Network adapters may also be coupled to the system to enable
the data processing system to become coupled to other data
processing systems or remote printers or storage devices through
intervening private or public networks. Modems, cable modem and
Ethernet cards are just a few of the currently available types of
network adapters.
[0028] The flowchart and block diagrams in the Figures illustrate
the architecture, functionality, and operation of possible
implementations of systems, methods and computer program products
according to various embodiments of the present invention. In this
regard, each block in the flowchart or block diagrams may represent
a module, segment, or portion of code, which comprises one or more
executable instructions for implementing the specified local
function(s). It should also be noted that, in some alternative
implementations, the functions noted in the block may occur out of
the order noted in the Figures. For example, two blocks shown in
succession may, in fact, be executed substantially concurrently, or
the blocks may sometimes be executed in the reverse order,
depending upon the functionality involved. It will also be noted
that each block of the block diagrams and/or flowchart
illustration, and combinations of blocks in the block diagrams
and/or flowchart illustration, can be implemented by special
purpose hardware-based systems that perform the specified functions
or acts, or combinations of special purpose hardware and computer
instructions.
[0029] The terminology used herein is for the purpose of describing
particular embodiments only and is not intended to be limiting of
the invention. As used herein, the singular forms "a", "an" and
"the" are intended to include the plural forms as well, unless the
context clearly indicates otherwise. It will be further understood
that the terms "comprises" and/or "comprising," when used in this
specification, specify the presence of stated features, integers,
steps, operations, elements, and/or components, but do not preclude
the presence or addition of one or more other features, integers,
steps, operations, elements, components, and/or groups thereof.
[0030] In an embodiment illustrated in FIG. 1, a service gateway
110 processes a service session 302 between a host 100 and a server
210. In one embodiment, service session 302 is a Web service
session such as a HTTP (Hypertext Transport Protocol) session, a
secure HTTP session, a FTP (File Transfer Protocol) session, a file
transfer session, a SIP (Session Initiation Protocol) session, a
session based on Web technology, a video or audio streaming
session, a Web conferencing session, or any session over the
Internet, corporate network, data center network, or a network
cloud. Service session 302 includes a plurality of data packets
between host 100 and server 210. Service session 302 is delivered
over a data network 153.
[0031] Host 100 is a computing device with network access
capabilities. In one embodiment, host 100 is a workstation, a
desktop personal computer or a laptop personal computer. In one
embodiment, host 100 is a Personal Data Assistant (PDA), a tablet
PC, a smartphone, or a cellular phone. In one embodiment, host 100
is a set-top box, an Internet media viewer, an Internet media
player, a smart sensor, a smart medical device, a net-top box, a
networked television set, a networked DVR, a networked Blu-ray
player, or a media center.
[0032] Service gateway 110 is operationally coupled to a processor
113 and a computer readable medium 114. The computer readable
medium 114 stores computer readable program code, which when
executed by the processor 113, implements the various embodiments
of the present invention as described herein. In some embodiments,
service gateway 110 is implemented as a server load balancer, an
application delivery controller, a service delivery platform, a
traffic manager, a security gateway, a component of a firewall
system, a component of a virtual private network (VPN), a load
balancer for video servers, or a gateway to distribute load to one
or more servers.
[0033] Server 210 is operationally coupled to a processor 213 and a
computer readable medium 214. The computer readable medium 214
stores computer readable program code, which when executed by the
processor 213, implements the various embodiments of the present
invention as described herein. In some embodiments, the computer
readable program code implements server 210 as a Web server, a file
server, a video server, a database server, an application server, a
voice system, a conferencing server, a media gateway, a SIP server,
a remote access server, a VPN server, a media center, an app server
or a network server providing a network or application service to
host 100.
[0034] In one embodiment, data network 153 is an Internet Protocol
(IP) network. In one embodiment, data network 153 is a corporate
data network or a regional corporate data network. In one
embodiment, data network 153 is an Internet service provider
network. In one embodiment, data network 153 is a residential data
network. In one embodiment, data network 153 includes a wired
network such as Ethernet. In one embodiment, data network 153
includes a wireless network such as a WiFi network, or cellular
network. In one embodiment, data network 153 resides in a data
center, or connects to a network or application network cloud.
[0035] In one embodiment, service session 302 includes a data
packet 304 from host 100. Data packet 304 includes a service
address 331. In one embodiment, service address 331 includes an IP
address. In one embodiment, service address 331 includes an
application layer address or a transport layer port number, such as
transmission control protocol (TCP) port number or user datagram
protocol (UDP) port number. Service address 331 is associated with
service gateway 110 so that the service data packet 304 of service
session 302 is processed by the service gateway 110. In one
embodiment, service address 331 includes a destination IP address
of service data packet 304, and optionally includes destination
transport layer port number of service data packet 304.
[0036] Service gateway 110 determines a server address 310
associated with the service address 331 obtained from service data
packet 304. In one embodiment, server address 310 includes a
network address or IP address of server 210. In one embodiment,
server address 310 includes an application layer address, such as a
TCP port number or a UDP port number of server 210.
[0037] Based on server address 310, service gateway 110 modifies
service data packet 304 by replacing service address 331 with
server address 310. Service gateway 110 sends modified service data
packet 304 to server 210.
[0038] In one embodiment, service gateway 110 receives a data
packet 308 of service session 302 from server 210. Service gateway
110 processes data packet 308. Data packet 308 includes server
address 310. Service gateway 110 determines a service address 331
associated with server address 310 obtained from service data
packet 308. Service gateway 110 modifies data packet 308 by
replacing server address 310 with service address 331. Service
gateway 110 sends modified data packet 308 to host 100.
[0039] In one embodiment, service gateway 110 includes storage 400,
and a service mapping table 412 (not shown) stored in storage 400.
In one embodiment, storage 400 is a memory module residing in
service gateway 110. In one embodiment, service gateway 110
includes a network processing module (not shown) comprising a field
programmable gate array (FPGA), a network processor, an application
specific integrated circuit (ASIC). Storage 400 is associated with
the network processing module. Examples of storage 400 in this
embodiment include a content addressable memory (CAM), a ternary
content addressable memory (TCAM), a static random accessible
memory (SRAM), or a dynamic random accessible memory (DRAM).
[0040] FIG. 2 illustrates an embodiment of a managed service
mapping table 412 of service gateway 110 according to the present
invention. In one embodiment, service gateway 110 includes a
service entry 511 and a service entry 514. Service entry 511
includes service address 331 and server address 310, associating
service address 331 and server address 310. Service entry 514
includes service address 334 and server address 340, associating
service address 334 and server address 340. Server address 310 is
different from server address 340. Server address 310 is associated
with server 210 and server address 340 is associated with server
240. In one embodiment, server 210 is the same as server 240.
Server address 310 associates with a server software application
different from the server software application associated to server
address 340. In one embodiment, server address 310 and server
address 340 are associated with a same server software application
whereas server 210 is different from server 240. In one embodiment,
server address 310 and server address 340 are not related to each
other.
[0041] In one embodiment, service mapping table 412 includes a
service table entry 420 which is associated with service entry 511.
Service gateway 110 may modify service table entry 420 from being
associated with service entry 511 to being associated with service
entry 514.
[0042] In one embodiment, for host 100 to use the service
associated with service entry 514, service gateway 110 activates
service entry 514. Service gateway 110 selects service table entry
420 to activate service entry 514, wherein service table entry 420
also has an association with service entry 511. A process for
determining the service table entry 420 in order to activate
service entry 514 is described further below with reference to FIG.
4.
[0043] In one embodiment, to deactivate the service associated with
service entry 511, service gateway 110 removes service entry 511
from service table entry 420. Service gateway 110 selects service
entry 514 to replace service entry 511 in service table entry 420.
A process for selecting the service entry 514 to replace service
entry 511 in service table entry 420 is described further below
with reference to FIG. 5.
[0044] In one embodiment, service gateway 110 modifies service
table entry 420 to include an association with a second service
entry 514. Service table entry 420 is thus associated with both
service entry 511 and service entry 514. In one embodiment, service
gateway 110 stores a change marker 427 into service table entry
420. In one embodiment, service table entry 420 includes a change
marker 427 and service gateway 110 modifies the change marker 427
value to "TRUE" to indicate that service table entry 420 includes
two service entry associations. The association of service table
entry 420 with two service entries indicates that one service entry
is to be removed and is to be replaced by the other service entry
will remain associated with service table entry 420.
[0045] In one embodiment, service gateway 110 is connected to a
clock 119. Service gateway 110 includes a timer 117. Service
gateway 110 sets timer 117 to a predetermined time period such as
10 minutes, 5 seconds, 2 minutes, or 1 hour. Service gateway 110
sets timer 117 while storing service entry 514 into service table
entry 420. Service gateway 110 checks clock 119 to determine if
timer 117 expires. When timer 117 expires, service gateway 110
changes marker 427 to "FALSE" or removes marker 427 from service
table entry 420. Service gateway 110 also removes the association
to service entry 511 from service table entry 420. The use of the
timer 117 is described further below with reference to FIGS. 4 and
5.
[0046] FIGS. 3A-3F illustrate an embodiment of a data packet
processing of service gateway using a service mapping table
according to the present invention.
[0047] In one embodiment illustrated in FIG. 3A, service gateway
110 includes a session table 452 for storing information for
sessions between hosts and servers. Session table 452 is stored in
storage 400.
[0048] Service mapping table 412 includes a service table entry 420
and a service table entry 423. Service table entry 420 includes
marker 427, which here has a value of "FALSE". The service table
entry 420 is associated with service entry 511. Service entry 511
stores service address 331 and server address 310 associated with
server 210.
[0049] Service table entry 423 includes marker 429, which here has
a value of "TRUE". Service table entry 423 is associated with
service entry 514 and service entry 516. Service entry 514 includes
service address 334 and server address 340 associated with server
240. Service entry 516 stores service address 336 and server
address 360 associated with server 260.
[0050] In one embodiment, service gateway 110 receives a data
packet 304 from host 100. Service gateway 110 obtains service
address 338 from data packet 304. Service gateway 110 compares
service address 338 against service mapping table 412, and finds a
match with service table entry 420.
[0051] In one embodiment, service mapping table 412 includes a
plurality of service table entries. A service table entry 420 is
indexed by a table index 430. In one embodiment, service mapping
table 412 has 1000 entries and the table index 430 has an integer
value between 0 and 999. In one embodiment, table index 430 has a
value between 1 and 1000. In one embodiment table index has a value
between 55 and 4897, or between -7 to 198024. In one embodiment,
table index 430 has non-integer value.
[0052] In one embodiment, service gateway 110 includes a hash
function HFunc 701. Service gateway 110 compares service address
338 against service mapping table 412 using HFunc 701.
[0053] Service gateway 110 applies HFunc 701 to service address 338
to obtain a hash value HValue 711. Service gateway 110 compares
HValue 711 against service mapping table 412 to finds a match with
table index 430. Service gateway 110 retrieves service table entry
420 using table index 430. In one embodiment, HValue 711 has the
same value as table index 430.
[0054] Examples of hash functions HFunc 701 include CRC checksum
functions and other checksum functions; hash functions using a
combination of bit-wise operators such as bit-wise AND operator,
bit-wise OR operator, bit-wise NAND operator and bit-wise XOR
operator; MD5 hash functions and other cryptography hash functions;
Jenkins hash function and other non-cryptography hash functions;
hardware based hash functions implemented in FPGA, ASIC or an
integrated circuit board of service gateway 110; and other types of
hash functions or table lookup functions. Typically such hash
functions are simple and can be calculated rapidly by service
gateway 110.
[0055] Service gateway 110 checks marker 427 of service table entry
420. Marker 427 has a value "FALSE". Service gateway 110 modifies
data packet 304 by replacing service address 338 with server
address 310. Service gateway 110 sends modified data packet 304 to
server 210, which is associated with server address 310.
[0056] In one embodiment, assume that the service associated with
service entry 514 is to be replaced by the service associated with
service entry 516, i.e., service entry 514 is to be replaced by
service entry 516 in service table entry 423. Service gateway 110
compares service address 338 with service table entry 423 and finds
a match between service address 338 and service address 334 of the
associated service entry 514. In response, service gateway 110
determines marker 429 of service table entry 423 to be "TRUE".
Service gateway 110 creates a session entry 454 based on service
table entry 423. Referring now to FIG. 3B, in one embodiment,
service gateway 110 uses the associated service entry 514 of
service table entry 423 to create session entry 454. Service
gateway 110 obtains server address 340 from service entry 514, and
stores service address 338 and server address 340 into session
entry 454. In one embodiment, service gateway 110 obtains host
address 108 from data packet 304 and stores host address 108 into
session entry 454. Host address 108 is associated with host 100. In
one embodiment, host address 108 includes an IP address or a
network address of host 100. In one embodiment, host address 108
further includes an application layer address, a TCP port number,
or a UDP port number of host 100. Service gateway 110 stores
session entry 454 into session table 452. Service gateway 110 uses
session entry 454 to process data packet 304. Service gateway 110
modifies data packet 304 by replacing service address 338 by server
address 340 of session entry 454. Service gateway 110 sends
modified data packet 304 to server 240.
[0057] In one embodiment, service gateway 110 compares service
address 338 against service table entry 423 and finds service
address 338 matching service address 336 of the associated service
entry 516 of service table entry 423, the new associated service
entry. Service gateway 110 determines marker 429 of service table
entry 423 to be "TRUE". Referring now to FIG. 3C, service gateway
110 uses service entry 516 to create session entry 454. Service
gateway 110 stores service address 338, server address 360 of
service entry 516 into session entry 454. In one embodiment,
service gateway 110 stores host address 108 into session entry 454.
Service gateway 110 modifies data packet 304 by replacing service
address 338 by server address 360 and sends modified data packet
304 to server 260.
[0058] In one embodiment, service gateway 110 checks if data packet
304 includes a session request. For example, data packet 304
includes a TCP SYN packet. Service gateway 110 uses new associated
service entry 516 of service table entry 423 to create session
entry 454, as described above with reference to FIG. 3C.
[0059] In one embodiment, service gateway 110 compares data packet
304 against session table 452 prior to comparing data packet 304
against service mapping table 412. In one embodiment, service
gateway 110 matches service address 338 of data packet 304 against
session table 452. In one embodiment, service gateway 110 further
obtains host address 108 of data packet 304, and compares service
address 338 and host address 108 against session table 452. In an
embodiment, service gateway 110 finds a match with session entry
454. Service gateway 110 modifies data packet 304 by replacing
service address 338 of data packet 304 by server address of session
entry 420, and sends modified data packet 304 to the associated
server of the server address of session entry 454.
[0060] In one embodiment, service gateway 110 does not find a match
between data packet 304 and session table 452. In response, service
gateway 110 proceeds to compare data packet 304 against service
mapping table 412, as described above.
[0061] Referring now to FIG. 3D, in one embodiment, service gateway
110 receives a data packet 308 from a server. In one embodiment,
service gateway 110 receives data packet 308 from server 210.
Service gateway 110 obtains server address 310 of data packet 308,
compares server address 310 against service mapping table 412, and
finds a match with service table entry 420. In one embodiment,
service gateway 110 applies hash function HFunc 701 to server
address 310 to obtain HValue 715. Service gateway 110 compares
HValue 715 against service mapping table 412 and finds a match with
table index 430. Service gateway 110 retrieves service table entry
420 using table index 430. Service gateway 110 checks marker 427 of
service table entry 420 to be "FALSE". Service gateway 110 modifies
data packet 308 by replacing server address 310 by service address
331 of service entry 511 of service table entry 420. Service
gateway 110 sends modified data packet 308 to host 100.
[0062] In one embodiment, service gateway 110 receives data packet
348 from server 240. Service gateway 110 obtains server address 340
of data packet 348, and compares server address 340 against service
mapping table 412. Service gateway 110 finds a match with service
table entry 423. Service gateway 110 checks marker 429 of service
table entry 423 to be "TRUE". In response, referring to FIG. 3E,
service gateway 110 creates a session entry 464 (FIG. 3E) using
server address 340 and service table entry 423. Service gateway 110
stores server address 340 in session entry 464. Service gateway 110
further checks and determines server address 340 matches the
existing associated service entry 514 of service table entry 423.
Service gateway 110 associates session entry 464 to service address
334 of service entry 514 in session entry 464. Service gateway 110
stores the session entry 464 in the session table 452. In one
embodiment, service gateway 110 extracts host address 108 from data
packet 348 and stores host address 108 in session entry 464 as
well.
[0063] Service gateway 110 modifies data packet 348 by replacing
server address 340 with service address 331, and sends modified
data packet 348 to host 100, which is associated with host address
108.
[0064] In one embodiment, service gateway 110 receives data packet
349 from server 260. Service gateway 110 obtains server address 360
of data packet 349, and compares server address 360 against service
table entry 423. Service gateway 110 finds a match with service
table entry 423. Service gateway 110 checks marker 429 of service
table entry 423 to be "TRUE". Service gateway 110 further
determines server address 360 of data packet 349 matches server
address 360 of service entry 516 associated with service table
entry 423. Referring now to FIG. 3F, service gateway 110 creates a
session entry 466 using server address 360 and service entry 516.
Service gateway 110 stores server address 360 and service address
336 of service entry 516 into session entry 466. Service gateway
110 stores session entry 466 into session table 452. In one
embodiment, service gateway 110 extracts host address 108 from data
packet 349 and stores host address 108 into session entry 466.
[0065] Service gateway 110 modifies data packet 349 by replacing
server address 360 with service address 336, and sends modified
data packet 349 to host 100 corresponding to host address 108.
[0066] In one embodiment, service gateway 110 compares data packet
349 against session table 452 prior to comparing data packet 349
against service mapping table 412. Service gateway 110 obtains
server address 360 of data packet 308 and compares server address
360 against session table 452. In one embodiment, service gateway
110 obtains further host address 108 of data packet 308 and matches
server address 360 together with host address 108 against session
table 452. In an embodiment, service gateway 110 finds a match with
session entry 466. Service gateway 110 modifies data packet 308 by
replacing server address 360 of data packet 304 by service address
336 of session entry 466, and sends modified data packet 349 to
host 100 associated to host address 108.
[0067] In one embodiment, service gateway 110 does not find a match
between data packet 308 and session table 452. Service gateway 110
proceeds to compare data packet 308 against service mapping table
412, as described above.
[0068] In one embodiment, service gateway 110 uses session entry
466 created using data packet 308 received from server 260, in
comparing subsequent host-side session data packet against session
table 452. In one embodiment, service gateway 110 uses session
entry 454 created using data packet 304 received from host 100, in
comparing subsequent server-side session data packets against
session table 452.
[0069] FIG. 4 illustrates an embodiment of a process to activate a
service entry according to the present invention. In one
embodiment, service mapping table 412 includes service table entry
420 indexed by table index 430. Service table entry 420 is
associated with service entry 511.
[0070] Service gateway 110 includes a hash function HFunc 702. In
one embodiment, HFunc 702 is the same as HFunc 701. In one
embodiment, HFunc 702 is different from HFunc 701.
[0071] In one embodiment, service gateway 110 activates service
entry 514, which includes service address 334 and server address
340. In one embodiment, service gateway 110 receives service entry
514 from a user 130. In one embodiment, user 130 is a network
administrator, or a network management system. In one embodiment,
service gateway receives service entry 514 from a pre-determined
configuration retrieved from storage or received remotely from a
network.
[0072] Service gateway 110 applies hash function HFunc 702 to
service entry 514 to obtain a hash value HValue 712. In one
embodiment, HFunc 702 is applied to service address 334. In one
embodiment, HFunc 702 is applied to server address 340. In one
embodiment, HFunc 702 is applied to both service address 334 and
server address 340. Service gateway 110 calculates a hash value
HValue 712. In one embodiment, hash value HValue 712 matches table
index 430 of service mapping table 412. Service gateway 110
retrieves service table entry 420 using table index 430. Service
gateway 110 adds an association with service entry 514 to service
table entry 420 so that service table entry 420 is associated with
both service entry 511 and service entry 514. In one embodiment,
service gateway 110 stores a change marker 427 to service table
entry 420 or sets the change marker 427 value to "TRUE".
[0073] In one embodiment, service gateway 110 set a timer 117 for
the activation or service entry 514. When timer 117 expires.
Service gateway 110 removes the association with service entry 511
from service table entry 420. Service gateway 110 removes change
marker 427 from service table entry 420 or changes the value of
marker 427 to "FALSE". Service table entry 420 maintains the
association with service entry 514. By setting the time 117,
existing connections related to service entry 511 may be migrated
to the session table 452, as described above, prior to the removal
of service entry 511 from service table entry 420, reducing
disruptions to existing session connections.
[0074] FIG. 5 illustrates a process to deactivate a service entry
511. Service mapping table 412 includes a service table entry 420
associated with service entry 511. Service mapping table 412
further includes a second service table entry 423 associated with
service entry 514 different from service entry 511, such as a
deactivate command or request. Service gateway 110 receives a
deactivate indication 172 to deactivate service entry 511. In one
embodiment, service gateway 110 receives the indication 172 from
user 130. In one embodiment, service gateway 110 receives the
indication 172 from a pre-determined configuration retrieved from
storage or remotely over a data network.
[0075] Indication 172 includes service entry 511. Service entry 511
includes service address 331 and server address 310. Service
gateway 110 obtains service entry 511 from indication 172.
[0076] In one embodiment, service gateway 110 calculates a hash
value HValue 712 by applying HFunc 702 to service entry 511. In one
embodiment, service gateway 110 applies HFunc 702 to service
address 331 of service entry 511. In one embodiment, service
gateway 110 applies HFunc 702 to server address 310 of service
entry 511. In one embodiment, service gateway applies HFunc 702 to
both service address 331 and server address 310. Service gateway
110 compares HValue 712 against service mapping table 412 and finds
a match with table index 430. Service gateway 110 retrieves service
table entry 420 using table index 430 from service mapping table
412.
[0077] In one embodiment, service gateway 110 compares service
entry 511 against service mapping table 412. In one embodiment,
service gateway 110 compares service address 331 of service entry
511 to service address 331 of service table entry 420 and finds a
match. In one embodiment, service gateway 110 compares server
address 310 of service entry 511 to server address 310 of service
table entry 420 and finds a match. In one embodiment, service
gateway 110 compares both service address 331 and server address
310 of service entry 511 and finds a match with service table entry
420. Service gateway 110 determines table index 430 of the matching
service table entry 420.
[0078] Service gateway 110 proceeds to select a replacement service
entry 514 for service table entry 423. In one embodiment, in
selecting service entry 514 from service mapping table 412, service
gateway 110 selects a service table entry 423 and applies hash
function HFunc 702 to service entry 514 of service table entry 423.
Service gateway 110 calculates a hash value HValue 713 by applying
HFunc 702 to service entry 514. Service gateway 110 compares HValue
713 to table index 430 and finds a match. Service gateway 110 adds
an association with service entry 514 to service table entry 420 so
that service table entry 420 is associated with both service entry
511 and service entry 514. In one embodiment, service gateway 110
stores a change marker 427 to service table entry 420 or sets the
change marker 427 value to "TRUE". In one embodiment, service
gateway 110 selects service entry 514 by applying the hash function
HFunc 702 to one or more service entries in service mapping table
412.
[0079] In one embodiment, service gateway 110 set a timer 117 for
the activation of service entry 514. When timer 117 expires.
Service gateway 110 removes the association with service entry 511
from service table entry 420. Service gateway 110 remove change
marker 427 from service table entry 420 or changes the value of
marker 427 to "FALSE". Service table entry 420 maintains an
association with service entry 514.
[0080] In one embodiment, service table entry 420 includes a
pre-determined alternate association service entry 514. In one
embodiment, service gateway 110 selects service entry 514 by
retrieving the alternate association service entry 514 of service
table entry 420 from storage or remotely over a data network.
[0081] Although the present invention has been described in
accordance with the embodiments shown, one of ordinary skill in the
art will readily recognize that there could be variations to the
embodiments and those variations would be within the spirit and
scope of the present invention. Accordingly, many modifications may
be made by one of ordinary skill in the art without departing from
the spirit and scope of the appended claims.
* * * * *